Quantum-Space Attacks 



Ran Gelles Tal Mor 

Technion - Israel Institute of Technology 
Computer Science Department 

{gelles , talmo}@cs . technion . ac . 11 

February 5, 2008 



Abstract 

Theoretical quantum key distribution (QKD) protocols commonly rely on the use of qubits (quantum 
bits). In reality, however, due to practical limitations, the legitimate users are forced to employ a larger 
quantum (Hilbert) space, say a quhexit (quantum six-dimensional) space, or even a much larger quantum 
Hilbert space. Various specific attacks exploit of these limitations. Although security can still be proved 
in some very special cases, a general framework that considers such realistic QKD protocols, as well as 
attacks on such protocols, is still missing. 

We describe a general method of attacking realistic QKD protocols, which we call the 'quantum- 
space attack'. The description is based on assessing the enlarged quantum space actually used by a 
protocol, the 'quantum space of the protocol'. We demonstrate these new methods by classifying various 
(known) recent attacks against several QKD schemes, and by analyzing a novel attack on interferometry- 
based QKD. 



1 Introduction 

Quantum cryptography has brought us new ways of exchanging a secret key between two users (known 
as Alice and Bob). The security of such Quantum Key Distribution (QKD) methods is based on a very 
basic rule of nature and quantum mechanics — the "no-cloning" principle. The first QKD protocol was 
suggested in a seminal paper by Bennett and Brassard Ii5j| in 1984, and is now known as BB84. During 
recent years many security analyses were published B6l [35l |6l |42l |7l |22l which proved the information- 
theoretical security of the BB84 scheme against the most general attack by an unlimited adversary (known 
as Eve), who has full control over the quantum channeQ Those security proofs are limited as they always 
consider a theoretical QKD that uses perfect qubits. Although these security proofs do take errors into 
account, and the protocols use error correction and privacy amplification (to compensate for these errors and 
for reducing any partial knowledge that Eve might have), in general, they avoid security issues that arise 
from the implementation of qubits in the real world. 

A pivotal paper by Brassard, Liitkenhaus, Mor, and Sanders |[T2l [T3l presented the "Photon Number 
Splitting (PNS) attack" and exposed a security flaw in experimental and practical QKD: One must take into 
account the fact that Alice does not generate perfect qubits (2 basis-states of a single photon), but, instead, 
generates states that reside in an enlarged Hilbert space (we call it "quantum space" here), of six dimensions. 
The reason for that discrepancy in the size of the used quantum space is that each electromagnetic pulse that 
Alice generates contains (in addition to the two dimensions spanned by the single-photon states) also a 

'All QKD protocols assume that Alice and Bob also use an insecure, yet unjammable, classical channel. 
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vacuum state and three 2-photon states, and these are extremely useful to the eavesdropper. That paper 
proved that, in contrast to what was assumed in previous papers. Eve can make use of the enlarged space, 
and get a lot of information on the secret key, sometimes even full information, without inducing any noise. 
Many attacks on the practical protocols then followed (e.g., |! 25l 12611241136113411211 '). based on extensions of 
the quantum spaces, exploring various additional security flaws; other papers Il25ll40ll45il suggested possible 
ways to overcome such attacks. On the one hand, several security proofs, considering specific imperfections, 
were given for the BB84 protocol Ii24ll27l . Yet on the other hand, it is generally impossible now to prove 
the security of a practical protocol, since a general framework that considers such realistic QKD protocols, 
and the possible attacks on such protocols, is still missing. 

We show that the PNS attack, and actually all attacks directed at the channel, are various special cases 
of a general attack that we define here, the Quantum-Space Attack (QSA). The QSA generalizes existing 
attacks and also offers novel attacks. The QSA is based on the fact that the "qubits" manipulated in the 
QKD protocol actually reside in a larger Hilbert space, and this enlarged space can be assessed. Although 
this enlarged space is not fully accessible to the legitimate users, they can still analyze it, and learn what 
a fully powerful eavesdropper can do. We believe that this assessment of the enlarged "quantum space 
of the protocol" is a vital step on the way to proving or disproving the unconditional security of practical 
QKD schemes. We focus on schemes in which the quantum communication is uni-directional, namely, from 
Alice's laboratory (lab) to Bob's lab. We consider an adversary that can attack all the quantum states that 
come out of Alice's lab, and all the quantum states that go into Bob's lab. 

The paper is organized as follows: Definitions of the quantum spaces involved in the realization of 
a protocol, and of the "quantum space of the protocol", are presented and discussed in Section [2] The 
"quantum-space attack" is defined and discussed in Section [3] Using the general framework when the 
information carriers are photons is discussed in Section |4] Next, in Section [5] we show that the best known 
attacks on practical QKD are special cases of the QSA. Section [6] demonstrates and analyzes a novel QSA 
on an interferometric implementation of the BB84 and the six-state QKD protocols. Last, we discuss a few 
subtleties and open problems for future research in Section |7] 

We would like to emphasize that our (crypt)analysis presents the difficulty of proving unconditional 
security for practical QKD setups, yet also provides an important (probably even vital) step in that direction. 

2 The Quantum Space of the Protocol 

The Quantum Space Attack (QSA) is the most general attack on the quantum channel that connects Alice 
to Bob. It can be applied to any realistic QKD protocol, yet here we focus on uni-directional schemes and 
on implementations of the BB84 protocol and the six-state protocol. We need to have a proper model of 
the protocol in order to understand the Hilbert space that an unlimited Eve can attack. This space has never 
been analyzed before except for specific cases. Our main finding is a proper description of this space, which 
allows, for the first time, defining the most general eavesdropping attack on the channel. We start with a 
model of a practical "qubit", continue with understanding the spaces used by Alice and Bob, and end by 
defining the relevant space, the Quantum Space of the Protocol (QSoP), used by Eve to attack the protocol. 
The attacks on the QSoP are what we call Quantum-Space Attacks. 

2.1 Alice's realistic space 

In most QKD protocols, Alice sends Bob qubits, namely, states of 2 dimensional quantum spaces (H2). 
A realistic view should take into account any deviation from theory, caused by Alice's equipment. For 
example, Alice might encode the qubit via a polarized photon: \0z) via a photon polarized horizontally, and 
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Il^) polarized vertically. This can be written using Fock notatioij^as \nh,nvf where Uh (n^,) represents the 
number of horizontal (vertical) photons; then |0z) = |1,0)'' and = |0, 1)''. When Alice's photon is lost 
within her equipment (or during the transmission), Bob gets the state |0, 0)^, so that Alice's realistic space 
becomes H3. Alice might send multiple photons and then is of higher dimension, see Section 



4.2 



Definition 1. Alice's realistic space, H^, is the minimal space containing the actual quantum states sent 
by Alice to Bob during the QKD protocol. 

In the BB84 protocol, Alice sends qubits in twc|^ fixed conjugate bases. Theoretically, Alice randomly 
chooses a basis and a bit value and sends the chosen bit encoded in the appropriate chosen basis as a state in 
H2 (e.g. |0^),|1^), |0^.) = (|0,) + /V2, and |1^) = (|0^) - /V2). To abetter approximation, the 
states sent by Alice are four different states | V'i) A (^ = 1)2,3, 4) in her realistic space H^, spanned by these 
four states. This space H"^ is of dimension \H^\, commonly between 2 and 4, depending on the specific 
implementation. As practical instruments often diverse from theory, Alice might send quite different states. 



As an extreme example, see the tagging attack (Section 5.2 1, which is based on the fact that Alice's space 
could contain more than just these four theoretical states, so that \H^\ > 4 is possible. 



2.2 Extension of Alice's space 

Bob commonly receives one of several possible states | V'j ) A sent by Alice, and measures it. The most general 
measurement Bob can perform is to add an ancilla, perform a unitary transformation on the joint system, 
perform a complete measurement, and potentially "forget']^ some of the outcome^ However, once Alice's 
space is larger than H2, the extra dimensions provided by Ahce could be used by Bob for his measurement, 
instead 0/ adding an ancilla. Interestingly, by his measurement Bob might be extending the space vulnerable 
to Eve's attack well beyond H^. This is possible since in many cases the realistic space, H"^, is embedded 
inside a larger space M. 

Definition 2. The space M is the space in which is embedded, C M. The space M is the actual 
space available for Alice and an Eavesdropper 

Due to the presence of an eavesdropper, Bob's choice whether to add an ancilla or to use the extended 
space M is vital for security analysis. In the first case the ancilla is added by Bob, inside his lab, while in the 
second it is controlled by Alice, transferred through the quantum channel and exposed to Eve's deeds. Eve 
might attack the extended space M, and thus have a different effect on Bob, considering his measurement 
method. 

For example, suppose AUce sends two non-orthogonal states of a qubit, 6*0 = (sfng) and 9i = {^°2.ne)' 
with a fixed and known angle > > 45°. Bob would like to distinguish between them, while allowing 



inconclusive results sometimes, but no errors 
the following transformation U: 
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^States written using the Fock notation |-)'' are called Fock states, see Section|4] 

'The six-state scheme uses the three conjugate bases of the qubit space; namely, also \0y) — (|0z) + i| Iz)) / \/2, 
''By the term "forget" we mean that Bob's detection is unable to distinguish between several measured states. 
^This entire process can be described in a compact way by using a POVM (39l . 
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where |l)Anc = (i)yi„c" "^^^^ operation leads to a conclusive result with probability 2sin^^ (when the 
measured ancilla is \ 0)Anc), and inconclusive result otherwise. It is simple to see that the same measurement 
can be done, without the use of an ancilla, if the states 6q and 9i are embedded at Alice's lab in a larger 
space M, e.g. M = H'^, using Bob's transformation 

sin 9 

±sin6' I . (2) 




Vcos 26 

In the general case, the space M might be very large, even infinite. Bob might use only parts of it, for his 
measurements. 

A complication in performing security analysis is due to Bob's option to both use an ancilla and extend 
the space used by Alice. Our analysis in the following sections starts with the space extension only (Sections 



2.3 -2.4 1, and later on deals with the general case (Sections 2.5 -2.6 1. 



2.3 Bob's space, without an ancilla 

Let us formulate the spaces involved in the protocol, as described above. Assume Alice uses the space 
according to Definition [Tj which is embedded in a (potentially larger) space Af. Ideally, in the BB84 
protocol. Bob would like to measure just the states in H"^, but in practice he usually can not do so. Each 
one of Alice's states \il^i)A is transformed by Bob's equipment into some pure|^state | V'i)^/ G The space 
which is spanned by those states contains all the information about Alice's states {l^i)^}- 

More important. Bob might be measuring un-needed subspaces of M which Alice's states do not span. 
For instance, examine the case where Bob uses detectors to measure the Fock states 1 1, 0)'' and |0, 1)''. Bob is 
usually able to distinguish a loss (the state |0, 0)'') or an error (e.g. 1 1, 1)'', one horizontal photon and one ver- 
tical photon), from the two desired states, but he cannot distinguish between other states containing multiple 
photons. This means that Bob measures a much larger subspace of the entire space M, but (inevitably) inter- 
prets outcomes outside as legitimate states; e.g. the states |2, 0)'', |3, 0)'', etc. are (mistakenly) interpreted 



as |1, Of . See further discussion in Section 4.3 



We denote Bob's setup (beam splitters, phase shifters, etc.) by the unitary operation Ub, followed by 
a measurement; all these operations are operating on the space M (or parts of it). Bob might have several 
different setups (e.g. a different setup for the z-basis and for the x-basis). Let U be the set of unitary 
transformations in all Bob's setups. 

Definition 3. [Tiiis definition is Temporary.] Given a specific setup-transformation Uj G U, let H^^ C M 

be the subsystem actually measured by Bob, having K basis states {|</>fc) Bj}k=o...K-i- The set o/ Bob's 
Measured Spaces is the set {-?^^-' }j=o...j-i of J = |U| spaces. 

We have already seen that Bob might be measuring un-needed dimensions. On the other hand he might 
not measure certain subspaces of M, even when Alice's state might reach there. In either case, the deviation 
is commonly due to limitations of Bob's equipment. 

2.4 The quantum space of the protocol, without an ancilla 

The "quantum space of the protocol" (QSoP) is in fact Alice's extended space, taking into consideration 
its extensions due to Bob's measurements. The security analysis of a protocol depends on the space 
defined below. 



*The case in which Bob transposes the state into a mixed state is a special case of the analysis done in Section 
notion of mixed states or quantum mixture see I37II39I . 



2.5 



For the 
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Definition 4. [This definition is Temporary.] The reversed space ^ is the Hilbert space spanned by 
the states U^^{\(f)k) Bj), for each possible setup Uj G U, and for each basis state \4>k)Bj of the appropriate 
H^^ C M. 

The Space ^ usually resides in a larger space than H^. For instance, using photons, the ideal space 
consists of two modes with 2 basis states, see Section [4] Now ^ could have an infinite space in 
each mode, but also could have more modes. 

In order to derive the quantum space of the protocol we need to define the way Alice's space is extended 
according to , for this simple case where Bob does not add an ancilla. In this case, the space 
simply extends Alice's space to yield the QSoP via = + . Formally speaking 

Definition 5. [This definition is Temporary.] The Quantum Space of the Protocol, H^, is the space 
spanned by the basis states of the space and the basis states of the space . 

If Alice's realistic space is fully measured by Bob's detection process, then is a subspace of \ 
hence = H^'\ 

2.5 Bob's space (general case) 

In the general case, one must consider Bob's option to add an ancilla during his measurement process. This 
addition causes a considerable difficulty in analyzing a protocol, however it is often an inherent part of the 
protocol, and can not be avoided. We denote the added ancilla as the state |0) b' that resides in the space 

Definition 6. M' is the space that includes the physical space used by Alice as defined in Definition |2] in 
addition to Bob 's ancilla, M' = M . 

Bob measures a subspace of the space M', so the (permanent) definitions of his measured spaces H^^ 
and the reversed space should be modified accordingly. 

Definition 7. Given a specific setup-transformation lAj G U let H^^ C M' be the subsystem actually 
measured by Bob, having K basis states Bj}k=o...K~i- The set o/Bob's Measured Spaces, is the set 

{ff-^j }j=o...J-i of J = |U| spaces. 

2.6 The quantum space of the protocol (general case) 

The quantum space of the protocol is still Alice's extended space, while considering its extensions due to 
Bob's measurements. Yet, the added ancilla makes things much more complex. The security analysis of 
a protocol depends now not on the space defined below, but on a (potentially much larger) space 

obtained from it by tracing-out Bob's ancilla. As before, we first define the reversed space. 

Definition 8. The reversed space ^ is the Hilbert space spanned by the states Uj^{\(j)k) Bj ), for each 
possible setup lAj G U, and for each basis state of the appropriate H^^ C M' . 

Once a basis state of one of Bob's measured spaces \(t)k) Bj is reversed by UJ^ we result with a state 
that might, partially, reside in Bob's ancillary space H^' . Since Eve has no access to this space|^it must be 
traced-out (separated out), for deriving the QSoP. Let us redefine the QSoP given the addition of the ancilla: 

'Giving thiis space to Eve (for getting an upper bound on her information), miglit be easier to analyze, but is usually not possible 
since it would give her too much power, making the protocol insecure. 
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Definition 9. The Quantum Space of the Protocol, H^, is the space spanned by (a) the basis states of the 
space H^; and (b) the states Th: Bob^j"^ {\'i>k) Bj)\, (namely, after tracing out Bob), for each possible setup 
lAj G U, and for each basis state |(/>fc) Sj of the appropriate space H^K 

Whenever Ub entangles Bob's ancilla with the system sent from Alice, tracing out Bob's ancilla after 
performing U^^ might cause an increase of the QSoP to the dimension of Bob's ancillary space. For in- 
stance, assume Alice's state is embedded in an n-qubit space to which Bob adds an ancilla of n-qubits and 

performs a unitary transformation i^, such that for one state measured by Bob, Yl\=o^ |^)p|^)b'- 

Tracing out Bob from this state yields the maximally mixed state pp = ^ Yl'k=o^ that in this ex- 

ample the whole n-qubits space is spanned. 



3 The Quantum Space Attack 
3.1 Eavesdropping on qubits 

When Alice and Bob use qubits, in theoretical QKD, Eve can attack the protocol in many ways. In her 
simplest attack, the so-called "measure-resend attack". Eve performs any measurement (of her choice) on 
the qubit, and accordingly decides what to send to Bob. 

A generalization of that attack is the "translucent attack", in which Eve attaches an ancilla, in an initial 
state |0) E (and in any dimension she likes), and entangles the ancilla and Alice's qubit, using |0)£;|z)yi 
X]j=o \^ij)E\j)A where \i)A is a basis for Alice's qubit, and Eve's states after the unitary transformation are 
\Eij) E- Using this transformation one can define the most general "individual-particle attack" llT9ll2m . and 
also the most general "collective attack" ||9l|8l. In the individual-particle attack Eve delays the measurement 
of her ancilla till after learning anything she can about the qubit (e.g., its basis), while in the collective attack 
Eve delays her measurements further till she learns anything she can about all the qubits (e.g., how the final 
key is generated from the obtained string of shared bits), so she attacks directly the, final key. 

The most general attack that Eve could perform on the channel is to attack all those qubits transmitted 
from Alice to Bob, using one large ancilla. This is the "joint attack". Security, in case Eve tries to learn a 
maximal information on the final key, was proven in 1.461 [35l ID |42l [7J via various methods. The attack's 
unitary transformation is written as before, but with i a binary string of n bits, and so is j, |0)E|i)^ 

E|=0^ \Eij)E\j)- 



3.2 Eavesdropping on the quantum space of the protocol 

By replacing the qubit space H2 by Alice's realistic "qubit" in the space H^, and by defining Eve's attack 
on the entire space of the protocol H^, we can generalize each of the known attacks on theoretical QKD 
to a "quantum space attack" (QSA). We can easily define now Eve's most general individual-transmission 
QSA on a realistic "qubit", which generalizes the individual-particle attack earlier described. Eve prepares 
an ancilla in a state |0) e, and attaches it to Alice's state, but actually her ancilla is now attached to the entire 
QSoP. Eve performs a unitary transformation Ue on the joint state. If Eve's attack is only on H"^, we write 
the resulting transformation on any basis state of H^, \i)A, as |0)£;|i)yi —>■ ^ ■ \Eij)E\j)A, where the sum 



is over the dimension of H"^. The Photon-Number- Splitting attack (see Section |5.1[) is an example for such 



an attack. The most general individual-transmission QSA is based on a translucent QSA on the QSoP, 

j 

where the sum is over the dimension of H^. The subsystem in is then sent to Bob while the rest (the 
subsystem H^) is kept by Eve. We write the transformation on any basis state of H^, \i)p, but note that 
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it is sufficient to define the transformation on the different states in H"^, namely for all states of the form 
\i)A, since other states of the QSoP are never sent by Alice (any other additional subsystem of the QSoP is 
necessarily at a known state when it enters Eve's transformation). 

Attacks that are more general than the individual transmission QSA, the collective QSA and the. joint 
QSA, can now be defined accordingly. In the most general collective QSA, Eve performs the above translu- 
cent QSA on many (say, n) realistic "qubits" (potentially a different attack on each one, if she likes), waits 
till she gets all data regarding the generation of the final key, and she then measures all the ancillas together, 
to obtain the optimal information on the final key or the final secret. The most general attack that Eve could 
perform on the channel is to attack all those realistic "qubits" transmitted from Alice to Bob, using one large 
ancilla. This is the "joint QSA". The attack's unitary transformation is written as before, but with i a string 
of n digits rather than a single digit (digits of the relevant dimension of H^), and so is j, 



Eve measures the ancilla, after learning all classical information, to obtain the optimal information on the 
final key or the final secret. As before, it is sufficient to define the transformation on the different input states 
from {H^)^''. 

We would like to emphasize several issues: 1 .- When analyzing specific attacks, or when trying to obtain 
a limited security result, it is always legitimate to restrict the analysis to the relevant (smaller) subspace of 
the QSoP, for simplicity, e.g., to H^, or to , etc. 2 - Any bi-directional protocol will have a much 
more complicated QSoP, thus it might be extremely difficult to analyze any type of QSA (even the simplest 
ones) on such protocols. This remark is especially important since bi-directional protocols play a very 
important role in QKD, since they appear in many interesting protocols such as the plug-and-play |[33l . 
the ping-pong [10], and the classical Bob fTT] protocols. Specifically they provided (via the plug-and- 
play) the only commerical QKD so far L48. ,49,1 . 3.- It is well known that the collective or joint attack is 
only finished after Eve gets all quantum and classical information, since she delays her measurements till 
then 191 [H m |35l |7]| ; if she expects more information, she better wait and attack the final secret rather than 
the final key; it is important to notice that if the key will be used to encode quantum information (say, qubits) 
then the quantum-space of the protocol will require a modification, potentially a major one; It is interesting 
to study if this new notion of QSoP has an influence on analysis of such usage of the key as done (for the 
ideal qubits) in H . 

4 Photonic Quantum Space Attacks 
4.1 Photons as quantum-information carriers 

Since most of the practical QKD experiments and products are done using photons, in this section we 
demonstrate our QSoP and QSA definitions and methods via photons. Our analysis uses the Fock-Spacaj 




notations for describing photonic quantum spaces. For clarity, states written using the Fock notation are 
denoted with the superscript 'f', e.g. |0)'', |3)'', and |0, 3, 1)''. 

A photon can not be treated as a quantum system in a straightforward way. For instance, unlike dust 
particles or grains of sand, photons are indistinguishable particles, meaning that when a couple of photons 
are interacting, one cannot define the evolution of the specific particle, but rather describe the whole system. 

Let us examine a cavity, for instance. It can contain photons of specific wavelengthes (Ai, A2, etc.) and 
the energy of a photon of wavelength A is directly proportional to 1/A. While one cannot distinguish between 

description of the Fock space and Fock notations can be found in various quantum optic books, e.g. 1411 . 




(4) 



j=0 
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photons of the same wavelength, one can distinguish between photons of different wavelengths. Therefore, 
it is convenient to define distinguishable "photonic modes", such that each wavelength corresponds to a 
specific mode (so a mode inside a cavity can be denoted by its wavelength), and then count the number of 
photons in each mode. If a single photon in a specific mode carries some unit of energy, then n such photons 
of the same wavelength carry n times that energy. If the cavity is at its ground (minimal) energy level, we 
say that there are "no photons" in the cavity and denote the state as |0)'' — the vacuum state. The convention 
is to denote only those modes that are potentially populated, so if we can find n photons in one mode, and 
no photons in any other mode, we write. Inf. If two modes are populated by Ua and rit photons, and all 
other modes are surely empty, we write \na,nbY (or |m, nfab^. When there is no danger of confusion, and 
the number of photons per mode is small (smaller than ten), we just write \mnY for m photons in one mode 
and n in the other. In addition to its wavelength, a photon also has a property called polarization, and a 
basis for that property is, for instance, the horizontal and vertical polarizations mentioned earlier. Thus, two 
modes (in a cavity) can also have the same energy, but different polarizations. 

Outside a cavity photons travel with the speed of light, say from Alice to Bob, yet modes can still be 
described, e.g., by using "pulses" of light |[T4i . The modes can then be distinguished by different directions 
of the light beams (or by different paths), or by the timing of pulses (these modes are denoted by non- 
overlapping time-bins), or by orthogonal polarizations. 

A proper description of a photonic qubit is commonly based on using two modes 'a' and '6' which are 
populated by exactly a single photon, namely, a photon in mode a, so the state is |10)''^^, or a photon in 
mode b, so the state is |01)''^^. However, a quantum space that consists of a single given photonic mode 'a' 
is not restricted to a single photon, and can be populated by any number of photons. A basis for this space 
is with n > 0, so that the quantum space is infinitely large. Hoc- Theoretically, a general state in this 

space is can be written as the superposition Yl'^=o '^nlnfa^ with |c„p = 1, c„ G C. Similarly, a quantum 
space that consists of two photonic modes has the basis states |na, Ubf, for na,nb > and a general state 
is of the form E^„,„(,=o ^r^a.^bha, "-b)'' with X]J^,nt,=o l^n^.n^P = 1, Cn,,nt S C. This quantum space is 
described as a tensor product of two "systems" H^o 03 -ffoo- 

Using exactly two photons in two different (and orthogonal) modes assists in clarifying the difference 
between photons and dust particles (or grains of sand): Due to the indistiguishability of photons, only 3 
different states can exist (instead of 4): |20)^^^, 102)''^^^ and The last state has one photon in mode 

'a' and another photon in '6', however, exchanging the photons is meaningless since one can never tell one 
photon from another. 

A realistic model of a photon source (in a specific mode) is of a coherent pulse (a Poissonian distribution) 



including terms that describe the possibility of emitting any number n of photons. As the number of photons 
increases beyond some number, the probability decreases, so it is common to neglect the higher orders. 
In QKD, experimentalists commonly use a "weak" coherent state (such that \a\ <^ 1) and then terms 
with n > 3 can usually be neglected. There is also a lot of research about sources that emit (to a good 
approximation) single photons, and then, again, terms with n > 3 can usually be neglected. 

4.2 Alice's realistic photonic space 

While the theoretical qubit lives in H2, a. realistic view defines the space actually used by Alice to be much 
larger. The possibility to emit empty pulses increases Alice's realistic space into H-^, due to the vacuum 
state 1 00)^^^. When Alice sends a qubit using two modes, using a weak coherent state (or a "single-photon" 
source), her realistic space, H^, is embedded in Hoo^Hoo- Terms containing more than two photons can be 
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neglected, so these are excluded from Alice's space H"^. The appropriate realistic quantum space of Alice, 
H^, is now a quhexit: the six-dimensional space spanned by = {|00)^ |10)^ |00)^ |20)^ |02)''}. 



The PNS attack demonstrated in Section 5.1 is based on attacking this 6 dimensional space H^. Note also 
that terms with more than two photons still appear in M, and thus could potentially appear in the QSoP (and 
then used by Eve). 

At times, Alice's realistic space is even larger, due to extra modes that are sent through the channel, and 
are not meant to be a part of the protocol. These extra modes might severely compromise the security of 
the protocol, since they might carry some vital information about the protocol. A specific QSA based on 
that flaw is the "tagging attack" (Section 5.2 1. Note that even if Alice uses exactly two modes, the quantum 
space M where H"^ is embedded, certainly contains other modes as well. 



4.3 Extensions of the photonic space; the QSoP 

Let us discuss Bob's measurement of photonic spaces. There are (mainly) two types of detectors that can 
be used. The common detector can not distinguish a single photon from more than one photon (these kind 
of detectors are known as threshold detectors). The Hilbert space where Bob's measurement is defined 
is infinit^ since a click in the detector tells Bob that the number of photons occupying the mode is "not 
zero" i.e. the detector clicks when \nf is detected, for n > 1. This means that Bob measures the state 
|0)'', or he measures |2)'', . . . but then "forgets" how many photons were detected. Bob might severely 
compromise the security, since he inevitably interprets a measurement of a state containing multiple photons 
as the "legal" state that contains only a single photon. An attack based on a similar limitation is the "Trojan- 
Pony" attack described below, in Section [53] In order to avoid false interpretations of the photon number 
reaching the detector. Bob could use an enhanced type of detector known as the photon-number resolving 
detector or a counter (which is still under development). This device distinguishes a single photon from 
n > 2 photons, hence any eavesdropping attempt that generates multi-photon states can potentially be 
noticed by Bob. A much enhanced security can be achieved now, although the QSoP is infinite also in this 
case, due to identifying correctly the legitimate state from various legitimate states. 

The number of modes in the QSoP depends on Bob's detectors as well. Bob commonly increases the 
number of measured modes by "opening" his detector for more time-bin modes or more frequency modes. 
For instance, suppose Bob is using a detector whose detection time-window is quite larger than the width of 
the pulse used in the protocol, since he does not know when exactly Alice's pulse might arrive. The result is 
an extension of the space used by Alice, so that the QSoP includes the subspace of M that contains all these 
measured modes. When a single detector is used to measure more than one mode without distinguishing 
them, the impact on the security might be severe, see the "Fake state" attack (Section 

In addition to the known attacks described in the following subsection, a new QSA is analyzed in Sec- 
tion[6j where we examine the more general case of QSA, in which Bob adds an ancilla during the process. 



5 Known Attacks as Quantum-Space Attacks 

All known attacks can be considered as special cases of the Quantum-Space Attack. In this section we show 
a description of several such attacks using QSA terms. For each and every attack we briefly describe the 
specific protocol used, the quantum space of the protocol, and a realization of the attack as a QSA. 

' In practice, that space is as large as Eve might wish it to be. We can ignore the case where Eve uses too many photons so that 
the detector could burn due to the high energy, since it is not in Eve's interest. Thus, in some of the analyses below we replace oo 
by some large number L. 
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5.1 The photon number spUtting attack ||l3ll 



The Protocol. Consider a BB84 protocol, where Alice uses a "weak pulse" laser to send photons in two 
modes corresponding to the vertical and horizontal polarizations when using the z basis (the diagonal po- 
larizations then relate to using the x basis). Bob uses a device called a Pockel cell to rotate the polarization 
(by 45°) for measuring the x basis, or performs no rotation if measuring the z basis. The measurement of 
the state is then done using two detectors and a "polarization beam splitter" that passes the first mode to one 
detector and the second mode to the other detector (for a survey of polarization-based QKD experiments, 
see 1231 ini). 

The Quantum Space of the Protocol. Every pulse sent by Alice is in one of four states, each in a 
superposition of the 6 orthogonal states = {|00)'', |10)^, |01)'',|11)'',|20)'', |02)^}, where the space used by 
Alice is = Bob uses two setups, Ub^ = 1 for the z basis, and Ub^ for the x basis, which is more 



complex and described in Appendix A. 1 



The detectors used by Bob cannot distinguish between modes having single photon and multiple pho- 
tons. Each one of his two detectors measures the basis elements {|n)''} for n > (of the specific mode 
directed to that specific detector), where Bob interprets the states {|n)^} with n > 1 as measuring the state 

of the same mode. Bob's measured space is thus infinite and spanned by the states {|mn)^} for 
> 0. The QSoP is equal to H^- (= H^-) since performing U ^ does not change the dimension- 
ality of the spanned space (in both setups). 

The Attack. Eve measures the number of photons in the pulse, using non-demolition measurement. If 
she finds that the number of photons is > 1, she blocks the pulse and generates a loss. In the case she finds 
that the pulse consists of 2 photons, she splits one photon out of the pulse and sends it to Bob, keeping 
the other photon until the bases are revealed, thus getting full information of the key-bit. Eve sends the 
eavesdropped qubits to Bob via a lossless channel so that Bob will not notice the enhanced loss-rate. As 
is common in experimental QKD, Bob is willing to accept a high loss-rate (he does not count losses as 
errors), since most of Alice's pulses are empty. See the precise mathematical description of this attack in 
Appendix [A] 



5.2 The tagging attack (based on Il24ll ) 

The Protocol. Consider a BB84 QKD protocol in which Alice sends an enlarged state rather than a qubit. 
This state contains, besides the information qubit, a tag giving Eve some information about the bit. The 
tag can, for example, tell Eve the basis being used by Alice. For a potentially realistic example, let the tag 
be an additional qutrit indicating if Alice used the x-basis, or the z-basis, or whether the basis is unknown: 
whenever Alice switches basis, a single photon comes out of her lab prior to the qubit-carrying pulse, telling 
the basis, say using the states llO)^^^^ and lOl)'',^^, and when there is no change of basis, what comes out prior 
to the qubit is just the vacuum 100)^^^^. 

The Quantum Space of the Protocol. In this example, Alice is using the space = Hfag = 

H2 ® H^. Bob, unaware of the enlarged space used by Alice, expects and receives only the subspace H2. 
We assume that Bob ideally measures this space with a single setup Ub = I, therefore = H2. Since 
Bob's setup does not change the space, = H2 as well. However, the tag is of a much use to Eve, and 

indeed the QSoP following Definition|5j defined to be = H2® H,ag. 

The Attack. Eve uses the tag in order to retrieve information about the qubit without inducing error 
(e.g. via cloning the qubit in the proper basis). The attack is then an intercept-resend QSA. We mention that 
this attack is very similar to a side-channel cryptanalysis of classic cryptosystems. 

A Short Summery. It can be seen that the PNS attack described above is actually a special case of 
the tagging attack, where the tag in that case is in fact another copy of the transmitted qubit. This copy 
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is kept by Eve until the bases are revealed, then it can be measured so the the key-bit value is exposed 
with certainty. Both those QSA attacks are based on the fact that Alice (realistic) space is larger than the 
theoretical one. Although in the PNS example, the QSoP is further extended due to Bob's measurement, the 
attack is not based on that extension but on the fact that is larger than H2. In the following attacks Bob's 
measurements cause the enlargement of the QSoP, allowing Eve to exploit the larger QSoP for her attack. 



5.3 The Trojan-pony attack (SI |26l| 

In Trojan-pony attacks Eve modifies the state sent to Bob in a way that gives her information. In contrast to 
a "Trojan- horse" that goes in-and-out of Bob's lab, the "pony" only goes in, therefore, it is not considered 
an attack on the lab, but only on the channel. We present here an interesting example fl^. 

The Protocol. Assume a polarization-encoded BB84 protocol, in which Alice is ideal, namely, sending 
perfect qubits {H^ = H2). However, Bob uses realistic threshold detectors that suffer from losses and dark 
counts, and that cannot distinguish between one photon and k photons for 1 < /c < L. In order to be able 
to "prove" security, for a longer distance of transmission Bob wants to keep the error-rate low although the 
increase of dark counts' impact with the distance [13J. Therefore, Bob assumes that Eve has no control 
over dark counts, and whenever both detectors click, Alice and Bob agree to consider it as a loss since it 
is outside of Eve's control (i.e. the QSoP is falsely considered to be H2). Namely, they assume that an 
error occurs only when Bob measures in the right basis, and only one detector clicks, (which is the detector 
corresponding to the wrong bit-value). 



The Quantum Space of the Protocol. Same as in Section 5.1 Bob's measured spaces H^'', H^"^, 
the reversed space as well as the QSoP H^, are merely the spaces describing two modes (with 

up to L photons). Hi H^. Bob's detectors cannot distinguish between receiving a single-photon pulse 
from a multi-photon pulse, so his measurement is properly described as a projection of the received state 
onto the space containing followed by "forgetting" the exact result, and keeping only one of three 

results: "{10} = detector-1 clicks", "{01} = detector-2 clicks", and else it is {00}, a "loss". In formal, 
generalized-measurements language (called POVM, see |[39l[37]| ) these three possible results are written as: 
{10} = Efci |A:0)"(^0|, {01} ^ Y.k=l \0kf'{0k\, {00} ^ |00)"(00| + =1 l^i^2)"(fciA:2|, and 

their sum is the identity matrix. 

The Attack. Eve's attack is the following: (a) Randomly choose a basis (b) Measure the arriving qubit 
in that specific chosen basis (c) Send Bob m-photons identical to the measured qubit, where m » 1. 
Obviously, when Eve chooses the same basis as Alice and Bob then Bob measures the exact value sent by 
Alice, and Eve gets full information. Otherwise, both of his detectors click, implying a "loss", except for a 
negligible probability, 2^^™+^), thus Eve induces no errors. The main observation of this measure-resend 
QSA is that treating a count of more than a single photon as a loss, rather than as an error, is usually not 
justified. A second conclusion is that letting Bob use counters instead of threshold detectors (to distinguish a 
single photon from multiple photons), together with treating any count of more than one photon as an error, 
could be vital for proving security against QSA. The price is that dark counts put severe restrictions on the 
distance to which communication can still be considered secure, as suggested already by |[T3l . 



5.4 The fake-state attack (based on (Ml HI) 

The Protocol. In this example, we examine a polarization encoded BB84 protocol, and an ideal Alice 
{H^ = H2). This time Bob's detectors are imperfect so that their detection windows do not fully overlap, 
meaning that there exist times in which one detector is blocked (or it has a low efficiency), while the other 
detector is still regularly active. Thus, if Eve can control the precise timing of the pulse, she can control 
whether the photon will be detected or lost. The setup is built four detectors and a rotating mirror (since 
Bob does not want to spend money on a Pockel cell (polarization rotator), he actually uses 2 fixed different 
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setups). Using the rotating mirror Bob sends the photon into a detection setup for basis z or a detection 
setup for basis x. Suppose the two detection setups use slightly different detectors, or slightly different 
delay lines, or slightly different shutters, and Eve is aware of this (or had learnt it during her past attacks 
on the system). For simplicity, we model the non-overlapping detection windows, as additional two modes, 
one slightly prior to Alice's intended mode (the pulse), and one right after it. 

The Quantum Space of the Protocol. The original qubit is sent in a specific time -bin to (namely, 
= H2). The setup Uz is a set of two detectors and a polarized beam splitter, separating the horizontal 
and the vertical modes to the detectors, where Ux separate the diagonal modes into a set of two (different) 
detectors. Let the detectors for one basis, say z, be able to measure a pulse arriving at or ti, while the 
detectors for the other basis (x) measure pulses arriving at t_i or to- 

For simplicity, we degenerate the space to contain one or less photon^^ so that H^^ is H^, i.e. two 
possible time-bins consisting each of two (polarization) modes of one or less photons. The measured space 
of the x-setup has two possible time-bins and two possible polarization modes, thus H^"^ = as well, 
however, the two time-bins for this setup are and ti. Following Definition |4] we get that that the reversed 
space contains three time-bins (t_i, to and ti) with two polarization modes in each, therefore = 

Hj, under the single -photon assumption. The QSoP, following Definition Is] equals ^ since H"^ C 

The Attack. Eve exploit the larger space by sending "fake" states using the external time bins (t_i and 
ti). Eve randomly chooses a basis, measures the qubit sent by Alice, and sends Bob the same polarization 
state she found, but at t_i if she have used the x basis, or at ti if she have used the z basis. Since no ancilla 
is kept by Eve, this is an intercept-resend QSA. 

Bob will get the same result as Eve if he uses the same basis, or a loss otherwise. The mathematical de- 
scription of the attack is as follows: Eve can generate superpositions of states of the form | Vt_^Ht_^Vtf^HtQ Vt^ Ht^ f, 
where the index {H, V} denotes this mode has Vertical or Horizontal polarization, and its subscript denotes 
the time -bin of the mode. Eve's measure-resend attack is described as measuring Alice's qubit in the x basis, 
creating a new copy of the measured qubit, and performing the transformation (|001000)'' — > |100000)''); 
(lOOOlOO)'' lOlOOOO)'') or as performing a measurement in the z basis, and performing the transformation 
(joOlOOO)'' ^ joOOOlO)''); (|000100)'' ^ |000001)'') on the generated copy. 

A short summery We see that Eve can "force" a desired value (or a loss) on Bob, thus gaining all 
the information while inducing no errors (but increasing the loss rate). Bob can use a shutter to block the 
irrelevant time-bins but such a shutter could generate a similar problem in the frequency domain. This attack 
is actually a special case of the Trojan-pony attack, in which the imperfections of Bob's detectors allow Eve 
to send states that will be un-noticed unless the measured basis equals to Eve's chosen basis. 

6 Interferometric BB84 and 6-state Protocols 

In order to demonstrate the power of QSA, and to see its advantages, this section presents a partial security 
analysis of some interferometric BB84 and 6-state schemes. Interferometric schemes are more common than 
any other type of implementation in QKD experiments ||43l [321 |23l [181 [HI [33 and products P8l[49l . In 
this section we define the specific equipment used by Bob, and we formulate Ub and Bob's measurements. 
We then find the spaces H^, ' and the QSoP, H^. Finally, we demonstrate a novel attack which 

is found to be very successful against a specific variant of the BB84 interferometric scheme; this specific 
QSA, which we call the "reversed-space attack", is designed using the tools developed in Sections [2] and [3] 

'"As mentioned above, this is used for non-security proof, and is not legitimate assumption for proving unconditional security, 
where the three time-modes should be considered as Hl ® Hl ® Hl- 
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6.1 Bob's equipment 



We begin with a description of interferometric (BB84 and six-state) schemes, which is based on sending 
phase-encoded qubits arriving in two time-separated modes B3l [32l . Ahce encodes her qubit using two 
time-bins and t[, where a photon in the first mode, |10)''^,^, , represents the state |0^), and a photon in the 
other mode, lOlf,, ,, , represents ll^). The BB84 protocol of B3l l32l (and many others) uses the x and y 
bases, meaning that Alice (ideally) sends one of the following four states: lO^;) = (| 10)^^, ^, + |01)''^, ^, ) / \/2; 

= (IIO)-;,,, - |01)^,,,, )/V2; |0,) = (|10)^,,,, + i\0lY,,,,)/V2; and = (llO)^,,,,"- i\0lY,J,)/V2. 

Bob uses an interferometer built from two beam splitters with one short path and one long path (Fig- 
ure [T]). A pulse of light travels through the short arm of the interferometer in Tghort seconds, and through 
the long arm in Tiong = T'short + AT seconds, where AT is also precisely the time separation between 
the two arriving modes of the qubit, AT = t\ — t'^. A controlled phase shifter P^, is placed in the long 
arm of the interferometer. It performs a phase shift by a given phase 0, i.e. P^{\ip)) = e*'^|V')- The 
phase shifter is set to = (0 = 7r/2) when Bob measures the x (y) basis. Each beam splitter interferes 
two input arms (modes 1, 2) into two output arms (modes 3, 4), in the following way (for a single photon): 
\Wi,2 ^ 7i|10)3,4 + ;7i|01)3,4. and|01)'i2 ^ -j^\W3,4 + The photon is transmitted/reflected 
with a probability of 50%; The transmitted part keeps the same phase as the incoming photon, while the re- 
flected part gets an extra phase of e*'^/^, if it carries a single photon. When a single mode, carrying at least a 
single photon, enters a beam splitter from one arm, and nothing enters the other input arm, we must consider 
the other entry to be an additional mode (an ancilla) in a vacuum state. 

When a single mode (carrying one or more photons) enters the interferometer at time t'^, see Figure [T| it 
yields two modes at time to due to traveling through the short arm, and two modes at time ti due to traveling 
through the long arm. Those four output modes are: times to, ti in the 's' (straight) arm of the interferometer, 
and times Iq, ti in the 'd' (down) arm. A basis state in this Fock space is then \nso , , , n^^ )''. In the 
case of having that single mode carrying exactly a single photon, the transformation, which requires three 
additional empty ancilla^ is |000)'' ^ (|1000)'' - |0100)'' + «|0010)'' + i|0001)'') /2. Note that a pulse 
which is sent at a different time (say, t'^) results in the same output state, but with the appropriate delays, i.e. 

|l)'jJOOO)''H^(|1000)''-|0100)'' + i|0010)'' + i|0001)'') /2, (5) 

where the resulting state is defined in the Fock space whose basis states are |ns^, n^^^^, n^^, n^^^^). 

Let us now examine any superposition of two modes (tg and t'l) that enter the interferometer one after 
the other, with exactly the same time difference AT as the difference lengths of the arms. The state evolves 



in the following way (see Appendix B.2 1: 



cos 6)1 lO)";, J, lOOOO)^ + sin(9e*^|01)';,^j, lOOOO)'' ^ 

' cos 0| lOOOOOfs + (- cos Oe''^ + sin ^e^'^) lOlOOOOfs - sin 06*^'^+'^) lOOlOOO)''^ 
+ icos^lOOOlOOfs + i{cosee''f' + sin0e^'^)|OOOOlO)"B + ^sin^e^^^+'^^lOOOOOl)''^ ) /2 (6) 



describing the evolution for any possible BB84 state sent by Alice {\0x), |lx), |0y), \ly) determined by the 
value of (/? = 0, vr, |, ^ respectively, when 9 = j). As a result of this precise timing, these two modes are 
transformed into a superposition of 6 possible modes (and not 8 modes) at the outputs, due to interference 
at the second beam splitter. Only four vacuum-states ancillas (and not six) are required for that process. The 
resulting 6 modes are to, ti, t2 in the 's' arm and in the 'd' arm of the interferometer. Denote this Fock 
space as H^, with basis elements In^g , , , ridg , Ud^ , n^^ Yb- 



"See a brief description in Appendix B.l 
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The measurement is performed as follows: Bob opens his detectors at time ti in both output arms of 
the interferometer. A click in the "down" direction means measuring the bit-value 0, while a click in the 
"straight" direction means 1. The other modes are commonly considered as a loss (they are not measured) 
since they give an inconclusive result regarding the original qubit. We refer this BB84 variant as "xy-BB84". 

One might want to use the z basis in his QKD protocol (using ip = 0, and 9 = or 9 = for instance, 
in order to avoid the need for a controlled phase shifter or for another equipment-related reason, or in order 
to perform "QKD with classical Bob" ifTTl . A potentially more important reason might be to perform the 
6-state QKD 111 51 [3l |29'| protocol, due to its improved immunity against errors (27.4% errors versus only 
20% in BB84 lfT6]l ). A possible and easy to implement variant for realizing a measurement in the z basis is 
the following: Bob uses the setup Ub^ (i.e. he sets to i?!* = 0), and opens his detectors at times to and 
t2, corresponding to the bit- values and 1 respectively (See Equation Q). Unfortunately, technological 
limitations, e.g. of telecommunication wavelength (IR) detectors, might make it difficult for Bob to open 
his detectors for more than a single detection window per pulse. Bob could perform a measurement of just 
the states {|000100)''^, |001000)^^}, opening the d arm detector at time Iq (to measure |0z)) and the s arm 
detector at time t2 (to measure We refer this variant as "xyz-six-state". 



6.2 The quantum space of the interferometric protocols 

We assume Alice to be almost ideal, having the realistic space = (a qubit or a vacuum state), using 
two time-bin modes. As we have seen, four ancillary modes in vacuum states are added to each transmission. 
Therefore, the interferometer setups Ub^ and UBy transform the 2-mode states of into a subspace that 
resides in the 6 modes space . For simplicity, we assume that Eve does not generate n-photon states, 
with re > 2, so we can ignore high photon numbers in the spac^^ Therefore, we redefine = H-j, 
the space spanned by the vacuum, and the six single-photon terms in each of the above modes. 

Using the x and y bases. Bob measures only time-bin ti, so his actual measured spaces consist of two 
modes: time-bin ti in the 's' arm and the 'd' arm. In that case, the measured spaces are H^"^ = H^y = H^, 
spanned by the states {|000000)''^, |010000)''^, |000010)''^}. When Bob uses the z basis, he measures two 
different modes, so H^'^ is spanned by the states {1000000)^5, lOOOlOO)'^, jOOlOOO)''^}. 

Let us define the appropriate space ^ for the 6-state protocol, according to Definition [s] The 
space H^~^ is spanned by the states given by performing U £ {UB.^MBy} on {jOOOOOO)''^, lOlOOOO)""^, 
1000010)'^^}, as well as the states given by performing Ub, on {jOOOOOO)''^, lOOOlOO)''^ , lOOlOOO)''^}. In- 
terestingly, once applying U^"^, the resulting states are embedded in an 8-mode space defined by the two 
incoming arms of the interferometer, 'a' (from Alice) and '6' (from Bob), at time bins t'_i, tg, t'l, and t'2. 
The basis states of ^ are listed in Appendix B.3 

Following Definition|9| the QSoP of this implementation for the 6-state protocol, is the subsystem of 
which is controlled by Eve. It is spanned by the 8-mode states spanning after tracing out Bob. 

The space that contains those "traced-out" states has only four modes that are controlled by Eve, specifically, 
input 'a' of the interferometer at times t'_i to t'2, having a basis state of the form la^' j^o,t'g'^t[^t'^Tp- Given 
the single -photon restriction, we get = H^, namely, the space spanned by the vacuum state, and a single 
photon in each of the four modes, i.e. {|0000)^p, |1000)'p, |0100)'p, |0010)'p , |0001)'p}. This same resuk is 
obtained also if Bob measures all the six modes in H^. 

Bob might want to see how the basis states of the 4-mode QSoP, H^, evolve through the interferometer 
in order to place detectors on the resulting modes, which will be used to identify Eve's attack. It is interesting 
to note, that those basis states result in 10 different non-empty modes (!). If Bob measures all these modes, 
he increases the QSoP, and maybe allows Eve to attack a larger space, and so on and so forth. Therefore, in 
order to perform a security analysis, one must first fix the scheme and only then assess the QSoP. Otherwise, 



'^As mentioned in Section|2] this assumption is not legitimate when proving unconditional security of a protocol. 
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a "ping-pong" effect might increase the spaces' dimensions to infinity. A similar, yet reversed logic, hints 
that it could actually be better for Bob, in terms of the simplicity of the analysis for the "j;y-BB84" scheme, 
to measurejMrf the two modes at ti (i.e. the space spanned by |0, n^^ , 0, 0, n^^ , 0)''^), thus reducing the QSoP 



to a 2-mode space, , see Appendix |B.4| Although Eve is allowed to attack a larger space than this 

two-mode , she has no advantage in doing so: pulses that enter the interferometer on different modes 
(i.e. other time-bins than t'^ and t'^), never interfere with the output pulses of time -bin ti measured by Bob. 
Therefore, state occupying different modes can not be distinguished from the states in which those modes 
are empty. 

6.3 The "Reversed- Space" attack on interferometric protocols 

Consider a BB84 variant in which Bob uses only the x and the z bases, using a single interferometer, where 



the z-basis measurement is performed according to the description in the last few lines of Section 6.1 We 
refer this variant as "a;2;-BB84". The QSoP of this scheme, is the space described above for the "xyz- 
six-state" protocol. The following attack 

1 1 

|0)£;|0100)p ^-|So)s(|1000)'p + lOlOOfp) + -|Si)s(|0010)'p + lOOOlfp) (7) 

|0)ij|0010)p ^^|Si)s(-|1000)'p + |0100)'p) + ^|Eo)i?(|0010)'p - |0001)'p) (8) 

which we call "the Reversed-Space Attack", allows Eve to acquire information about the transmitted qubits, 
without inducing any errors. The states \ -)e denote Eve's ancilla which is not necessarily a photonic system. 
The state 10^)^ = |0100)p and \1z)a = |0010)p are the regular states send by Alice, where we added 
the relevant extension of H"^ in . When \Qz)a is sent by Alice, the attacked state hlE\^) e\^z) A reaches 
Bob's interferometer, and interferes in a way such that it can never reach Bob's detector at time t2, i.e. 
^(OOlOOOls^^p^ {{Ue\Q)e\^z)a) lOOOO)''^,) = 0. Although the attacked state Z^£;|0)e|0^)a reaches modes 
that Alice's original state \^z)a can never reach. Bob never measures those modes, and cannot notice the 
attack. A similar argument applies when Alice sends ll^)^- 
As for the x basi^^ this attack satisfies 

\^)e\^x)a^ 

-^(I^o)e + |^i)b)(|0100)'p + |0010)'p) + ^(I^o)e - \Ei)E)mmp " lOOOlfp) (9) 



\^)e\'^x)a ^ 

-^(|So)s - |^i)s)(|0100)'p - |0010)'p) + -^{\Eo)e + |^i)£;)(|1000)'p + |0001)'p). (10) 

The first element in the sum results in the desired interference in Bob's lab, while the second is not measured 
by Bob's detectors at time ti. By letting Eve's probes |ii^o) e and \Ei) e be orthogonal states. Eve gets a lot 
of information while inducing no errors at all. Yet, we find that Eve is increasing the loss rate by this attack 
to 87.5%, but a very high loss rate is anyhow expected by Bob (as explained in the analysis of the PNS [il^ 
and the tagging [24] attacks). 

In conclusion, this attack demonstrates the risk of using various setups without giving full security 
analysis for the specific setup. We are not familiar with any other security analysis that takes into account 
the enlarged space generated by the inverse-transformation of Bob's space. 

"For simplicity we use the sliorter notation \Q^) = (|0100)p + |0010f ) /\/2, etc. 
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7 Conclusion 



In this paper we have defined the QSA, a novel attack that generalizes all currently known attacks on the 
channel. This new attack brings a new method for performing security analysis of protocols. The attack is 
based on a realistic view of the quantum spaces involved, and in particular, the spaces that become larger 
than the theoretical ones, due to practical considerations. Although this paper is explicitly focused on the 
case of uni-directional implementations of a few schemes, its main observations and methods apply to any 
uni-directional QKD protocol, to bi-directional QKD protocols, and maybe also to any realistic quantum 
cryptography scheme beyond QKD. 

The main conclusion of this research is that the quantum space which is attacked by Eve can be assessed, 
given a proper understanding of the experimental limitations. This assessment requires a novel cryptanalysis 
formalism — analyzing the states generated in Alice's lab, as well as the states that are to be measured by 
Bob (assessing them as if they go backwards in time from Bob's lab); this type of analysis resembles the 
two-time formalism in quantum theory llTl l44ll . 

Open problems for further theoretical research include: 1.- Generalization of the QSA to other conven- 
tional protocols (such as the two-state protocol, EPR-based protocols, d-level protocols, etc.); such a gen- 
eralization should be rather straightforward. 2.- Proving unconditional security (or more limited security 
results such as "robustness" Ell) against various QSAs. This is especially important for the interferometric 
setup, where the QSoP is much larger than Alice's six-dimensional space (the one spanned by x^)- 3.- 
Describing the QSA for more complex protocols, such as two-way protocols f33l [T0l[TTIl in which the quan- 
tum communication is bi-directional, and protocols which use a larger set of states such as data-rejected 
protocols 121 or decoy-state protocols ||25l |45l |30l l47l . 4.- Extend the analysis and results to composable 
QKD (4]. 5(a).- In some cases, if Bob uses "counters" and treats various measurement outcomes as er- 
rors, the effective QSoP relevant for proving security is potentially much smaller than the QSoP defined 
here. 5(b).- Adding counters on more modes increases the QSoP defined here, but might allow analysis of 
a smaller "attack's QSoP", if those counters are used to identify Eve's attack. More generally, the connec- 
tion between the way Bob interprets his measured outcomes, and the "attack's QSoP" is yet to be further 
analyzed. 

Acknowledgments. We thank Michel Boyer, Dan Kenigsberg and Hoi-Kwong Lo for helpful remarks. 

References 

[1] D. Z. Albert, Y. Aharonov, and S. D'Amato. Curious new statistical prediction of quantum mechanics. Physical 

Review Letters, 54(l):5-7, Jan 1985. 
[2] S. M. Barnett, B. Huttner, and S. J. D. Phoenix. Eavesdropping Strategies and Rejected-data Protocols in 

Quantum Cryptography. Journal of Modern Optics, 40:2501-2513, Dec. 1993. 
[3] H. Bechmann-Pasquinucci and N. Gisin. Incoherent and coherent eavesdropping in the six-state protocol of 

quantum cryptogi-aphy. Physical Review A, 59(6):4238^248, Jun. 1999. 
[4] M. Ben-Or, M. Horodecki, D. W. Leung, D. Mayers, and J. Oppenheim. The universal composable security 

of quantum key distribution. In TCC 2005: Second Theory of Cryptography Conference, pages 386-406, Jan. 

2005. 

[5] C. H. Bennett and G. Brassard. Quantum Cryptography: Public key distribution and coin tossing. Proceedings 

of IEEE International Conference on Computers, Systems and Signal Processing, pages 175-179, Dec. 1984. 
[6] E. Biham, M. Boyer, P. O. Boykin, T. Mor, and V. P. Roychowdhury. A proof of the security of quantum 

key distribution. In Proceedings of the 32nd Annual ACM Symposium on Theory of Computing ( STOC), pages 

715-724, New York, 2000. ACM Press. 
[7] E. Biham, M. Boyer, P. O. Boykin, T. Mor, and V. P. Roychowdhury. A proof of the security of quantum key 

distribution. J. Cryptology, 19(4):381-439, 2006. 



16 



[8] E. Biham, M. Boyer, G. Brassard, J. van de Graaf, and T. Mor. Security of Quantum Key Distribution Against 

All Collective Attacks. Algorithmica, 34:372-388, Nov. 2002. 
[9] E. Biham and T. Mor. Security of quantum cryptography against collective attacks. Physical Review Letters, 

78(ll):2256-2259, Mar 1997. 
[10] K. Bostrom and T. Felbinger Deterministic secure direct communication using entanglement. Physical Review 

Letters, 89(18): 187902, Oct 2002. 
[11] M. Boyer, D. Kenigsberg, and T. Mor Quantum key distribution with classical Bob. ArXiv Quantum Physics 

e-prints, 2007. quant-ph/07 03 107| 
[12] G. Brassard, N. Liitkenhaus, T. Mor, and B. C. Sanders. Security Aspects of Practical Quantum Cryptography. 

In EUROCRYPT 2000: International Conference on the Theory and Application of Cryptographic Techniques, 

LNCS 1807:289-299, 2000 

[13] G. Brassard, N. Liitkenhaus, T. Mor, and B. C. Sanders. Limitations on Practical Quantum Cryptography. 

Physical Review Letters, 85:1330-1333, Aug. 2000. 
[14] K. J. Blow, R. Loudon, S. Phoenix and T. J. Shepherd. Continuum fields in quantum optics Physical Review A, 

42(7):4102-4114, Oct. 1990. 

[15] D. BruB. Optimal Eavesdropping in Quantum Cryptography with Six States. Physical Review Letters, 81:3018- 
3021, Oct. 1998. 

[16] H. F. Chau. Practical scheme to share a secret key through a quantum channel with a 27.6% bit error rate. 

Physical Review A, 66(6):060302, Dec. 2002. For different (slightly smaller) numbers, see l[24\l . 
[17] M. Dusek, N. Lutkenhaus, and M. Hendrych. Quantum Cryptography. ArXiv Quantum Physics e-prints, Jan. 

2006. quant-ph/0601207 

[18] C. Elliott, D. Pearson, and G. Troxel. Quantum cryptography in practice. In SIGCOMM '03: Proceedings of 

the 2003 conference on Applications, technologies, architectures, and protocols for computer communications, 

pages 227-238, New York, NY, USA, 2003. ACM Press. 
[19] A. Ekert, B. Huttner, G. Palma and A. Peres. Eavesdropping on quantum-cryptographical systems. Physical 

Review A, 50(2): 1047-1056, Aug. 1994. 
[20] C. Fuchs, N. Gisin, R. Griffiths, C.S. Niu and A. Peres. Optimal eavesdropping in quantum cryptography. I. 

Information bound and optimal strategy. Physical Review A, 56(2): 1163-1 172, Aug. 1997. 
[21] N. Gisin, S. Easel, B. Kraus, H. Zbinden, and G. Ribordy. Trojan-horse attacks on quantum-key-distribution 

systems. Physical Review A, 73(2):022320-H-, Feb. 2006. 
[22] N. Gisin, B. Kraus, and R. Renner Lower and upper bounds on the secret key rate for QKD protocols using 

one-way classical communication. Physical Review Letters, 95:080501, 2005. 
[23] N. Gisin, G. Ribordy, W. Tittel, and H. Zbinden. Quantum cryptography. Reviews of Modern Physics, 74:145- 

195, Jan. 2002. 

[24] D. Gottesman, H.-K. Lo, N. Liitkenhaus, and J. Preskill. Security of quantum key distribution with imperfect 

devices. Quantum Information and Computation, 5:325-360, 2004. 
[25] W.-Y. Hwang. Quantum key distribution with high loss: Toward global secure communication. Physical Review 

Letters, 91(5):057901, Aug. 2003. 
[26] W.-Y. Hwang, I.-T. Lim, and J.-W. Park. No-clicking event in quantum key distribution. ArXiv Quantum Physics 

e-prints, 2004. quant-ph/04 12206 
[27] H. Inamori, N. Liitkenhaus, and D. Mayers. Unconditional security of practical quantum key distribution. Eu- 
ropean Physical Journal D, 41:599-627, Mar. 2007. 
[28] H.-K. Lo and H. F. Chau. Unconditional security of quantum key distribution over arbitrarily long distances. 

Science, 283:2050-2056, 1999. 
[29] H.-K. Lo. Proof Of Unconditional Security of Six-State Quatum Key Distribution Scheme. Quantum Information 

and Computation, l(2):81-94, Aug. 2001. 
[30] H.-K. Lo, X. Ma, and K. Chen. Decoy State Quantum Key Distribution. Physical Review Letters, 

94(23):230504-H, Jun. 2005. 

[31] V. Makarov, A. Anisimov, and J. Skaar. Effects of detector efficiency mismatch on security of quantum cryp- 

tosystems. Physical Review A, 74:022313, 2006. 
[32] C. Marand and P. Townsend Quantum key distribution over distances as long as 30 km Optics Letters, 20: 1695- 

1697, Aug. 1995. 

[33] A. Muller, T. Herzog, B. Huttner, W. Tittel, H. Zbinden and N. Gisin. "Plug and play" systems for quantum 
cryptography. Applied Physics Letters, 70:793-395, Feb 1997. 



17 



[34] V. Makarov and D. R. Hjelme. Faked states attack on quantum cryptosy stems. Journal of Modem Optics, 
52:691-705, May 2005. 

[35] D. Mayers. Unconditional security in quantum cryptography. J. ACM, 48(3):35 1-406, 2001, based on [4^]. 

[36] A. Niederberger, V. Scarani, and N. Gisin. Photon-number-splitting versus cloning attacks in practical imple- 
mentations of the Bennett-Brassard 1984 protocol for quantum cryptography. Physical Review A, 71:042316, 
2005. 

[37] M. A. Nielsen and 1. L. Chuang. Quantum Computation and Quantum Information. Cambridge University Press, 
Cambridge, UK, 2000. 

[38] A. Peres. How to differentiate between non-orthogonal states. Physics Letters A, 128:19, Mar 1988. 
[39] A. Peres. Quantum Theory: concepts and methods. Kluwer, Dordrecht, 1993. 

[40] V. Scarani, A. Acm, G. Ridbory and N. Gisin. Quantum Cryptography Robust against Photon Number Splitting 
Attacks for Weak Laser Pulse Implementations. Physical Review Letters, 92(5):057901-H-, Feb. 2004. 

[41] M. Scully and M. S. Zubairy. Quantum Optics. Cambridge University Press, Cambridge, United Kingdom, 
1997. 

[42] P. W. Shor and J. Preskill. Simple proof of security of the BB84 quantum key distribution protocol. Physical 

Review Letters, 85:441-444, 2000, based on l[28\l . 
[43] P. D. Townsend. Secure key distribution system based on quantum cryptography. Electronics Letters, 30:809- 

811, May. 1994. 

[44] L. Vaidman, Y. Aharonov, and D. Z. Albert. How to ascertain the values of a^, cfy, and az of a spin-1/2 particle. 
Physical Review Letters, 58(14):1385-1387, Apr. 1987. 

[45] X. B. Wang. Beating the Photon-Number-Splitting Attack in Practical Quantum Cryptography. Physical Review 
Letters, 94:230503, Jun. 2005. 

[46] A. Yao. Security of quantum protocols against coherent measurements STOC '95: Proceedings of the twenty- 
seventh annual ACM symposium on Theory of computing, pages 67-75, Las Vegas, Navada, United States, 1995. 

[47] Z. L. Yuan, A. W. Sharpe, and A. J. Shields. Unconditionally secure one-way quantum key distribution using 
decoy pulses. Applied Physics Letters, 90:1118— n, Jan. 2007. 

[48] http://www.idquantique.com/ 

[49] |http://www.magiqtech.com/P 



18 



Appendix 



A Mathematical Description of the PNS attack 

The PNS attack can be realized using (an infinite set of) polarization independent beams splitters. Eve uses 
a beam splitter to split photons from Alice's state. Using a non-demolition measurement Eve measures the 
number of photons in one output of the beam splitter, and repeat the splitting until she acquires exactly one 
photon. Formally Ue is defined: 

mEm)\ ^ mfEmfp mEiwr^ ^ \wfE\oofp 

\00fE\20n ^ \WfE\10fp \00fE\0lfA ^ mfEioofp 

lOOfElnfA ^ mfElWYp + |10f^|01)!4)/^/2. 

Whenever Alice sends a pulse with two photons of the same polarization, Eve and Bob end up, each, with 
having a single photon of the original polarization. 

Proposition 1. Eve's PNS attack for a pulse of 2 photons, gives Eve full information while inducing no 
errors. 

Proof. According to its definition it is trivial to verify the attack for the horizontal and vertical polarizations 
|0^)(2) and (where |P)('=) means k photons having polarization P). Using the standard creation 

and annihilation operators (a^ and we can write the state of two photons in the diagonal polarization 

{X basis): |0,)(2) = (^j={a\ + 4)) lOO)-^ = l{\20f + V2|ll)^ + |02)^), similarly = i (|20)'^ - 

V2|ll)'= + |02)'=). 

^|00fe(|20r + ^/2|llf + |02f)p 

^-{\10fE\lOfp + \0lfE\10fp + \10fE\0lfp + \0lfE\0lfp) 
liillOfE + |01)'i,)|10)'p + {\10fE + |01)'£;)|01)'p) 

^(iw^ + |oi)y(|io)^p + |oi)'p) 
l\ooTE{\W-V2\nf + \02f)p 

^(iiofeiiofp - ioir^iio)'p - iiofEmfp + loifsioifp) 
liiiiofE - mE)mp - hWe - ioi)'i,)ioi)'p) 

^(iW^-loi)y(iio)^p-loi)'p) 

^x)e\'^x)^P^ 

□ 

See any quantum optics book, e.g. 1411 



loofeio 



x/p 



\00fE\l 



x/p 



Ue 



Which completes the proof. 
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A.l Polarization change 

A Polarization based QKD protocol makes a use of a Pockel cell (Ub^), rotating the polarization of the 
photons going through it. For a single photon, its action is trivial, 

|10)'=^-L(|10)^ + |0in,and 
|Olf 5^-^(110)" -|Oin. 

(11) 

For a state that contains multiple photons, the transformation is not intuitive, and most simply defined using 
the creation and annihilation operators. In a somewhat simplified way, the Pokcel cell can be considered as 

performing a\ ^ (^TJ ("i + ^2)) ^"^^ ^2 ^ (ts'-^i ~ '^2)) > that a state is transformed in the following 
way 

F_ / t^"Y.t^™lnn\F"s^. ( ^ (J . jX( 1 (J .t^^"ln^\F 



\nmr=[a[) (^^j |00)^ ^ ^-^(aj + a^) j — - a^) j lOOf. (12) 

B QSoP of the Interferometeric Scheme: Supplementary Information 

B.l A (brief) graphical description of pulses evolution through interferometer 

See Figure [2] for evolution of a single occupied mode through the interferometer, and Figure [3] for evolution 
of two superpositioned modes. 

B.2 Evolution of modes through the interferometer 

In order to simplify the analysis (a simplification that is not allowed when proving the full security of 
a scheme) we look at the ideal case in which exactly one photon (or none) is sent by Alice. The ba- 
sis states are then the vacuum 1000000)*^ = \VJ^, and the six states (that we denote for simplicity by) 
IIOOOOO)^^ = \soJj^- lOlOOOO)''^ = Isi)''^; lOOlOOO)''^ = Isa)^^; lOOOlOO)^^ = Ido)'^; lOOOOlO)'^^ = \diJB 
and 1 00000 1)'^^ = 1^2)''^. 

The full transformation of a single photon pulse through the interferometer is given by Equation Q. 
Alice sends photons at time bins t'^ and t'l only, so the interferometer transformation on Alice's basis states 
is 100)^^10000)''^ ^ \Vjj^, and 

|10)''^|0000)'^^ ^ {\sofB - e'^\s^rB + i\dorB + i^'^\dirB) /2 ..3. 
lOir^lOOOO)^ ^ {\s{fB - e^^\s2fB + i\dirB + ie''^\d2fB) /2 , ^ ^ 



where |0000) ^ denotes ancilla added during the proces^ Equation 
ometer effect on a general qubit, shown in Equation ([6]l. 
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can be used to describe the interfer- 



The states sent by Alice during the "xy-BB84" protocol evolve in the interferometer as follows: 

- |S2>B + ^1^0)5 + 2i|di)'s + Wb) /V8 
2|si)'b + \s2Yb + Wb - i\d2)B) /V8 ^^4^ 

+ \s2fB + i\doTB - 2Mi)s - ^^2)'^) /V8 
2i\siYs - \s2fB + i\doTB + Wb) /V8 



Ox 


A 


<j)=0 


{\soTb 




A 


(/)=0 


Mb 


0, 


A 


</>=7r/2 


{\soTb 


1. 


A 


</>=7r/2 


{\soTb 



''Those ancillas (the space H^) are originated by Ahce extended space and by Bob (H^ ). Performing U ^ reveals the 
exact origin of those ancillas. 
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Bob can distinguish the computation basis elements of bases x and y, measuring time-bin ti, i.e. the states 
\dif for |0) and \ sif for |1) in the measured basis. Other states give Bob no information about the state sent 
by Alice. 

B.3 ^ of the "xyz-six-state" scheme 

Let Bob be using interferometric setups Ub^ and measuring 6 modes (corresponding the space with a basis 
state \nsQns^ns2niiQnd^nci2f^) with one or less photons. Following Definition [Sj the states spanning the 
space can be derived using Equation (|6]) (adjusted to the appropriate space): 

000000)'^ |00000000)'pp, 

010000)'^ - (-|01000000)'p5, + |00100000)'pp, - i|00000100)'pp, - i|00000010)'pp,) 
000010)'^ ^ - (-«|01000000)'pB, - ilOOlOOOOOfpp, + lOOOOOlOOfp^, - |00000010)'pp,) 
000000)'p |00000000)'pp, 

001000)'p - (-|00100000)'p5, + |00010000)'pp, - i 1 000000 10)'pp, - i 1 0000000 l)'pp,) 
000100)'p ^ - (-«|10000000)'pp, - i|01000000)'p5, + |00001000)'pB, - |00000100)'pp,) 
000000)'p lOOOOOOOOfpp, 

Ug^ 1 

010000)'p - (i|01000000)'pB, + |00100000)'pp, - |00000100)'pB, - ijOOOOOOlOfp^,) 

^b' 1 

000010)'p - (-|01000000)'p5, - i|00100000)'p5, - i|00000100)'pB, - |00000010)'pp,) (15) 

defined over the space ® H^' with basis state la^/ ^o^t'^o-t'^o-ti^h' J^t'J^t'J^t'^TpB'- Note that performing 
U^^ requires an additional ancilla, since the modes number increases from six to eight. 

B.4 QSoP of the "x?/-BB84" scheme 

Assume Bob measures only time-bin ti in both output arms of the interferometer, i.e. the measured space is 
subspace spanned by |0, , 0, 0, n^^j , 0)p. Assuming a single-photon restriction, the reversed space. 
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of that measured space that is spanned by: 



1 



loooooo)''^ \mmYpB, 

lOlOOOO)''^ ^ ^ (-|1000)'p5, + |0100)'p5, - i|0010)'pB, - i\mdlJpB,) 
|000010)'b - (-i|1000)'p5, - i|0100)'pB, + lOOlOfpg, - lOOOlfp^,) 
loooooo)''^ |0000)'pB, 

Ug^ 1 

|010000)'p ^ - (i|1000)pij/ + |0100)'pp, - |0010)'p5, - i|0001)'pB,) 

1 

|000010)'b - (-|1000)'pp, - ilOlOOfpB/ - ilOOlOfpp, - |0001)'pp,) (16) 

as can be verified using Equation ([6]l. The space ^ is embedded in a 4-mode space ® H^' , having 
the basis element lat'^CLf'^bf/^b^i^fp^,, i.e. Alice modes at times t'^ and t'^ and Bob's added ancillary modes at 

times Iq and t'l respectively. The resulting six states ( fTH] ) span a 4-dimensional space, i.e. ^ = H4,. The 
QSoP in this special case is = H^, spanned by \a^'^a^i^Y with one or less photons. 
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A A 



(a) 




Figure 1: Bob's laboratory setup for the x and y basis, (a) Alice sends a qubit; (b) Vacuum states are added 
in the interferometer; (c), (d) beam-splitters; (e) phase shifter Pa,. 
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(a) Time To: the pulse (1) is about to enter the interferom- 
eter. A vacuum ancUla (2) is added in the input of the first 
beam splitter. 



(3') 


141 










(3) 













(b) Time T\: Pulses (1) and (2) interfere and become a su- 
perposition of (3) and (3') in the short and long arms of 

the interferometer, respectively, |l)i|0)2 — ^ (|1)3|0)3' + 
«|0)3|1)3') / V^- Pulse (3) is about to enter the second beam 
splitter so a vacuum ancilla is added (4). 





Ao') As') 


1 (6) V 


s-Aim 

A® 



(c) Time T^: pulses (5) and (5') are created by pulses (3) 

and (4), ■^\Q)a\\)z ^ (i|l)5|0)5' +|0)5|l)5')/2. Pulse 
(3') is about to enter the second beam-splitter so a vacuum 
ancilla is added (6). 



— ^ 


(?•) (51 

A A 




\> s-Arm 

A(" 

A (5) 



(d) Time T;,: Pulses (7) and (7') are created by interfering 
(3') and (6). ;^|1)3'|0)6 ^ (i|l>7|0)7' - |0)7|l)7')/2. 



Figure 2: Evolution in time of a single photon pulse through an interferometer satisfying 

|1000)i,2,4,6 (|1000)5',7',5,7 - |0100)5',7',5,7 + *|0010)5',7',5,7 + ^|0001)5',7',5,7)/2. The num- 

bars represent the appropriate mode number of each pulse. The input state (|l)tQ|000)) consists of modes 
(1) for the pulse at to and (2), (4) and (6) for the vacuum ancillas. The output modes that correspond to the 
state l^-SQ, n^j, n^o, n^^) are modes (5'), (7')^ (5) and (7) respectively. 
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s-Arm 



(a) Time To : The general single-photon qubit (a 1 0) + /? 1 1 ) ) 
is sent to Bob is in two modes (1) and (2). Bob adds two 
vacuum ancillas (1') and (2') that interfere with the photon 
in the first beam splitter (BS-1). 
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(b) Time Ti : Modes ( 1 ) and ( 1 ' ) interfere and create (3 ) and 
(3') in the short and long arm respectively, a|l)i|0)i' -"^ 
^(|l>3|0)3'+i|0)3|l)3')- Pulse (3) is about to enter BS-2 
so a vacuum ancilla is added (4). 







(61 

A 


(3') 

A A 




J 




s-Aim 

A (5) 



(c) Time T2: Pulses (5) and (5') are created by the in- 



terference of (3) and (4) ^|0)4|1)3 



T|i)5|o)e 



f |0)5|1)5'- Pulses (6) and (6') created by the interference 

^(|1>6|0> 



of (2) and (2') in BS-1 /3|1)2|0)2' 
i|0>6|l>6'). . 
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(d) Time T3: Pulses (7) and (V) are created by the interfer- 
ence of (3') and (6) in BS-2 i| 1 1)3, |0)6 + ^ |0)3' 1 1)6 ^ 

^^^|1)7|0)7' + ^|0)7|1)7' • Pulse (6') is about to en- 
ter BS-2 so a vacuum ancilla is added (8). 
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(e) Time T^: Pulses (9) and (9') are created by the interfer- 
ence of (6') and (8) in BS-2 ^ |1)6' |0)8 f |1)9|0)9'- 

f|0>9|l>9'. 



Figure 3: Evolution in time of two modes through an interferometer satisfying (a|l)i|0)2 + 
/3|0)i|l)2)|0000)r,2',4,8 (§1100000) + ^loioooo) - fiooiooo) + f lOOOlOO) + 

^^^^lOOOOlO) + f |000001))5.,7/, ,9', 5, 7,9- The numbers represent the appropriate mode number of each 
pulse. The corresponding state is \nsf^ns^nsr^ndQnd^nd2) ■ 
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